diff options
author | Isaac Boukris <iboukris@gmail.com> | 2018-11-07 22:53:35 +0200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2018-12-04 18:36:56 +0100 |
commit | 6d9c94e82c0cc9fa314de2ad8969d01bac11bd0f (patch) | |
tree | d497f7d3cb7e2ea76b79801a58859da0d453d73c | |
parent | c4c0a23a34cfe21484f2dbc2830d85aff5929724 (diff) | |
download | samba-6d9c94e82c0cc9fa314de2ad8969d01bac11bd0f.tar.gz |
CVE-2018-16853: fix crash in expired passowrd case
When calling encode_krb5_padata_sequence() make sure to
pass a null terminated array as required.
Fixes expired passowrd case in samba4.blackbox.kinit test.
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(v4-8-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-8-test): Tue Dec 4 18:36:56 CET 2018 on sn-devel-144
-rw-r--r-- | source4/kdc/mit_samba.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index 1cd6750f5ab..8283c726487 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -855,7 +855,7 @@ krb5_error_code encode_krb5_padata_sequence(krb5_pa_data *const *rep, krb5_data static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data) { krb5_error_code ret = 0; - krb5_pa_data pa, *ppa = NULL; + krb5_pa_data pa, *ppa[2]; krb5_data *d = NULL; if (!e_data) @@ -876,9 +876,10 @@ static void samba_kdc_build_edata_reply(NTSTATUS nt_status, DATA_BLOB *e_data) SIVAL(pa.contents, 4, 0); SIVAL(pa.contents, 8, 1); - ppa = &pa; + ppa[0] = &pa; + ppa[1] = NULL; - ret = encode_krb5_padata_sequence(&ppa, &d); + ret = encode_krb5_padata_sequence(ppa, &d); free(pa.contents); if (ret) { return; |